Is CISPA the Next SOPA/PIPA?

The Cyber Intelligence Sharing and Protection Act is coming. If you haven’t heard as much about CISPA as you did about SOPA and PIPA, you will soon. CISPA needs to change, and we need your help to change it.

CISPA is a ‘cybersecurity’ bill that exists in the U.S. House of Representatives, and it’s only a matter of time before a counterpart appears in the Senate. Last week we explained a bit about the bill and what it does here in the ServInt University. Prior versions of CISPA were as odious as PIPA and SOPA. The Internet community needs to be vigilant that the next version isn’t as well. CISPA is not the same bill as SOPA and PIPA, but it has the potential to be just as big an affront to your civil liberties.

CISPA confuses access to information with knowledge of that information.

CISPA started as a bill designed to allow more security information to pass from government agencies to the public – think, a government warning about a potential terrorist threat. But as it evolved, significant incentives were added to the legislation encouraging private Internet providers to share security threat information with the government, possibly including agencies like the NSA and FBI.

The example that has been used over and over again is that if a company like Facebook came across the next 9/11 plot, they could use CISPA to share the personal information of their users, despite what their privacy policy says. According to the bill, that sharing is voluntary, not required.

So what’s wrong with that? On its surface, CISPA seems well-intentioned enough. The idea is, if you see something, say something. This is exactly what the signs in airports tell us is going to protect us from terrorism.

But hosting providers like ServInt aren’t the same as travelers pointing out suspect packages in an airport. Hosting providers and most internet companies – while having access to their customers’ data because it is housed in their data centers – have little to no direct knowledge of the data itself. There is simply far too much of it. Even if a few companies wished to take it upon themselves to monitor their own customers for national security threats, they would have no feasible way to comb through all of their data looking for something “suspicious.”

Asking Internet companies to voluntarily report any suspicious activity of their customers is like asking baggage handlers to keep an eye out for suspicious items inside bags they are driving onto the tarmac and loading into planes.

CISPA erodes privacy rights and circumvents due process

If private companies have little-to-no direct knowledge of their customers’ data, then the only other scenario where CISPA would come into effect is when the government suspects a person or group of planning some kind of attack then reaches out to the companies housing the suspect’s data and asks for any evidence these companies may have. CISPA could be used in the name of expediency to allow companies to voluntarily share any data they find with the government without a warrant, and without the fear of customer reprisal.

And to those who say that this is neither the intention nor the likely use of CISPA, what should concern us is not the intended use, or the likely use, but the unintended or possible use that a piece of legislation opens up. We must protect the rights of the few, so that we insure the rights of the many.

If CISPA passes in its current form, privacy on the Internet will be irrevocably harmed.

As service providers, we have all made promises to our customers to protect the sensitivity of their data, and to preserve and protect our privacy policies. In a post-CISPA world this would be infinitely harder to do.

Here at ServInt, we work with thousands of businesses every day. We also talk to law enforcement regularly. We work very hard to make sure we preserve and protect due process for our clients when we are approached by law enforcement. We do so by following the law, and by following the terms of our privacy policy, which has been structured to meet our clients’ expectations, to qualify under US/EU Safe Harbor and comply with our FTC obligations.

A bill that not only encourages circumventing due process and our legal obligations to our customers, but actually acts as a get-out-of-jail free card if we do breach our privacy policy, is the worst kind of incentive. This rotten carrot is nothing short of a free pass for Internet companies to tread on the rights of private U.S. citizens and U.S. companies, all in the name of “national security.”

CISPA puts America on a slippery slope where U.S. privacy policies would never matter again.

In today’s world, almost anything can be considered a security threat. ServInt can imagine CISPA being used to transmit almost any piece of sensitive information to law enforcement under the cover of “national security.” Given our regular contact with law enforcement, and our experience with their views of national security, it is realistic to expect them to use CISPA to encourage us to share more information than is currently required. We will be told not to worry about our privacy policy. We’ll be reminded that CISPA allows us to share data in violation of our privacy policies as long as we believe it to be an issue of national security. We’ll get told we should “act quickly,” and reminded that we “don’t want blood on your hands.”

True, lining up behind the current version of CISPA would be the easy course for companies like ServInt. We’d be able to help our government fight crime, reduce the pressure from law enforcement, and all the while ensure that we have nothing to fear from our customers as we disregard our promises to them. Under the current version of CISPA, American businesses and citizens would have no recourse if their private information was inappropriately shared with the government.

But aside from being against what ServInt stands for, treading on the rights of U.S. citizens with CISPA in the name of national security is shortsighted for two reasons:

1. CISPA would hurt the US economy

Giving Internet companies carte blanche to spy on their customers and pass on any potentially damaging data to the federal government, all without fear of reprisal in criminal or civil court, opens the door to any number of abuses. Even if you and I were to assume that U.S. companies would not misuse these powers, foreign customers of U.S.-based Internet companies are not likely to be so trusting.

Currently, the United States is the world leader in hosting online content. The Internet infrastructure industry represents a $9.2 billion trade surplus. That surplus could evaporate overnight. There are many other countries with good Internet infrastructure, and if those countries show that they respect privacy after we show we no longer do, we will see U.S. and international customers alike leaving our shores in droves, not because they are planning or committing acts that threaten U.S. national security, but simply because they do not trust a government that circumvents privacy laws and grants itself full access to all Internet users’ data under the umbrella of “national security.”

The US was the birthplace of the Internet, and it is still the center of online innovation and commerce. But if CISPA passes in its current form, another country or region will become the center of tomorrow’s digital economy.

2. CISPA will increase ‘cybersecurity’ threats far more than it will help

This shift away from U.S.-centric Internet resources will make real cybersecurity threats that much more removed from U.S. jurisdiction. By attempting to circumvent due process in the name of expedience, CISPA would push these threats offshore where they would have just as much potential to harm U.S. citizens and the U.S. economy, but would be beyond the reach of U.S. law enforcement.

Wanting better digital security is a laudable goal, but there’s a right and a wrong way to do it. It is still possible to make a better CISPA – even a good CISPA. But today’s CISPA cannot stand. CISPA in its current form is bad for U.S. businesses, bad for the U.S. economy, bad for U.S. citizens, and it will actually hamper the fight for better Internet security.

ServInt strongly opposes CISPA as it is written today. In the coming weeks you’ll hear more about how our COO, Christian Dawson, is working with the i2Coalition and members of Congress to fight this legislation, or – even better – change it into a bill that actually helps more than it hurts.

You can help too. Stand beside ServInt and companies like ours by joining the i2Coalition. Christian is actually going to be part of a webinar on Tuesday, March 26th about why you should consider joining i2C. You can sign up for the webinar here.

Find out more about ServInt solutions

Comments

Start the conversation

Chief Executive Officer, ServInt

Reed Caldwell is the founder and CEO of ServInt. Founded in 1995, ServInt has since expanded its network nationwide with data centers in Los Angeles, Northern Virginia, and the District of Columbia. Caldwell’s vision and leadership have led ServInt to become one of the most successful privately held hosting companies in the U.S. Reed is a member of San Diego Social Venture Partners (SDSVP) and a Strategic Advisor for the Equinox Center in San Diego. Reed is an active venture philanthropist and lives in Southern California.